Welcome to Splunk Answers, a Q&A forum for users to find answers to questions about deploying, managing, and using Splunk products. Contributors of all backgrounds and levels of expertise come here to find solutions to their issues, and to help other users in the Splunk community with their own questions.

This quick tutorial will help you get started with key features to help you find the answers you need. You will receive 10 karma points upon successful completion!

I pondered using metadata but both metadata and inputlookup need to be the first command so that seems to be a non-starter.

I can use the REST API and get the desired result by effectively doing the outer join outside Splunk but I wonder what other options exist.I am probably not able to increase the subquery auto-finalize limit.

People who like this

2 Answers

There are a couple of ways. First, another answer has suggested using the metadata command, which is fine as long are you're just counting by host. If you're needing a more specific query, a count by host+source, or something else, that won't help you (though in version 6.0 you can doing things like | tstats count WHERE source=xyz GROUPBY host,source very quickly using any other indexed field, or you can similarly use an accelerated data model for more complex queries).